[Tus] HEAD+OPTIONS method are done with HTTP instead HTTPS

Hi,

I’m facing a weird issue, I pass to the Tus plugin a SSL endpoint:

    this.uppy.use(Tus, {
      endpoint: 'https://domain.com',
    });

But when it tries to upload it will request both OPTIONS and HEAD methods with a non-secured URL (http://domain.com/upload/...), and since my backend forces redirecting all HTTP requests to HTTPS URLs, I get this error:

Access to XMLHttpRequest at 'http://domain.com/upload/044011bcf4c39d9df600f7784860be90' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I didn’t find information about that, maybe I’m doing wrong? I don’t see a property to set so the original HTTPS is kept.

Thank you,

EDIT: note that in the HEAD response headers I have

Non-Authoritative-Reason: HSTS

I’m investigating if that’s really my backend that forces the redirection or if Google is doing it.

EDIT2: when testing https://uppy.io/examples/dragdrop/ it looks like HEAD+OPTIONS use properly the HTTPS. I will take a look on the Tus client

EDIT3: the initial POST method is done over HTTPS with success. Maybe to upload that’s simplier to use raw HTTP?

EDIT4: my bad, I just understood Uppy relies on the URL returned by the Tus server… and it returns headers like:

location: http://domain.com/upload/e07b5029433ce17b67ea20ff01d34002
status: 201
strict-transport-security: max-age=15724800; includeSubDomains
tus-resumable: 1.0.0
x-content-type-options: nosniff
x-envoy-upstream-service-time: 2188

so it’s the one I need to investigate on 😃 I will keep you posted and close when appropriate